提交 b56b3141 编写于 作者: X xuelei

7109274: Restrict the use of certificates with RSA keys less than 1024 bits

Summary: This restriction is applied via the Java Security property, "jdk.certpath.disabledAlgorithms". This will impact providers that adhere to this security property.
Reviewed-by: mullan
上级 d92f8f18
...@@ -371,7 +371,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -371,7 +371,7 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
......
...@@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
......
...@@ -373,7 +373,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -373,7 +373,7 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
......
...@@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
......
...@@ -21,18 +21,22 @@ ...@@ -21,18 +21,22 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* @bug 6714842 * @bug 6714842
* @library ../../../testlibrary * @library ../../../testlibrary
* @build CertUtils * @build CertUtils
* @run main BuildEEBasicConstraints * @run main/othervm BuildEEBasicConstraints
* @summary make sure a PKIX CertPathBuilder builds a path to an * @summary make sure a PKIX CertPathBuilder builds a path to an
* end entity certificate when the setBasicConstraints method of the * end entity certificate when the setBasicConstraints method of the
* X509CertSelector of the targetConstraints PKIXBuilderParameters * X509CertSelector of the targetConstraints PKIXBuilderParameters
* parameter is set to -2. * parameter is set to -2.
*/ */
import java.security.Security;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertPath; import java.security.cert.CertPath;
import java.security.cert.CertStore; import java.security.cert.CertStore;
...@@ -49,6 +53,9 @@ import java.util.List; ...@@ -49,6 +53,9 @@ import java.util.List;
public final class BuildEEBasicConstraints { public final class BuildEEBasicConstraints {
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer");
TrustAnchor anchor = new TrustAnchor TrustAnchor anchor = new TrustAnchor
......
...@@ -21,16 +21,22 @@ ...@@ -21,16 +21,22 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* @bug 4684793 * @bug 4684793
* @summary verify that the RFC3280 policy processing changes are implemented correctly * @summary verify that the RFC3280 policy processing changes are
* implemented correctly
* @run main/othervm TestPolicy
* @author Andreas Sterbenz * @author Andreas Sterbenz
*/ */
import java.io.*; import java.io.*;
import java.util.*; import java.util.*;
import java.security.Security;
import java.security.cert.*; import java.security.cert.*;
public class TestPolicy { public class TestPolicy {
...@@ -72,6 +78,10 @@ public class TestPolicy { ...@@ -72,6 +78,10 @@ public class TestPolicy {
}; };
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
factory = CertificateFactory.getInstance("X.509"); factory = CertificateFactory.getInstance("X.509");
X509Certificate anchor = loadCertificate("anchor.cer"); X509Certificate anchor = loadCertificate("anchor.cer");
......
...@@ -21,6 +21,9 @@ ...@@ -21,6 +21,9 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* *
...@@ -392,6 +395,9 @@ public class CPBuilder { ...@@ -392,6 +395,9 @@ public class CPBuilder {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
......
...@@ -21,6 +21,9 @@ ...@@ -21,6 +21,9 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* *
...@@ -28,7 +31,7 @@ ...@@ -28,7 +31,7 @@
* @summary Disable MD2 support. * @summary Disable MD2 support.
* New CertPathValidatorException.BasicReason enum constant for * New CertPathValidatorException.BasicReason enum constant for
* constrained algorithm. * constrained algorithm.
* * @run main/othervm CPValidatorEndEntity
* @author Xuelei Fan * @author Xuelei Fan
*/ */
...@@ -313,6 +316,10 @@ public class CPValidatorEndEntity { ...@@ -313,6 +316,10 @@ public class CPValidatorEndEntity {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
try { try {
validate(endentiry_SHA1withRSA_1024_1024, validate(endentiry_SHA1withRSA_1024_1024,
intermediate_SHA1withRSA_1024_1024); intermediate_SHA1withRSA_1024_1024);
......
...@@ -21,6 +21,9 @@ ...@@ -21,6 +21,9 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* *
...@@ -28,7 +31,7 @@ ...@@ -28,7 +31,7 @@
* @summary Disable MD2 support * @summary Disable MD2 support
* new CertPathValidatorException.BasicReason enum constant for * new CertPathValidatorException.BasicReason enum constant for
* constrained algorithm * constrained algorithm
* * @run main/othervm CPValidatorIntermediate
* @author Xuelei Fan * @author Xuelei Fan
*/ */
...@@ -212,6 +215,10 @@ public class CPValidatorIntermediate { ...@@ -212,6 +215,10 @@ public class CPValidatorIntermediate {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
try { try {
validate(intermediate_SHA1withRSA_1024_1024); validate(intermediate_SHA1withRSA_1024_1024);
validate(intermediate_SHA1withRSA_1024_512); validate(intermediate_SHA1withRSA_1024_512);
......
...@@ -21,6 +21,9 @@ ...@@ -21,6 +21,9 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/** /**
* @test * @test
* *
...@@ -28,7 +31,7 @@ ...@@ -28,7 +31,7 @@
* @summary Disable MD2 support * @summary Disable MD2 support
* new CertPathValidatorException.BasicReason enum constant for * new CertPathValidatorException.BasicReason enum constant for
* constrained algorithm * constrained algorithm
* * @run main/othervm CPValidatorTrustAnchor
* @author Xuelei Fan * @author Xuelei Fan
*/ */
...@@ -133,6 +136,10 @@ public class CPValidatorTrustAnchor { ...@@ -133,6 +136,10 @@ public class CPValidatorTrustAnchor {
} }
public static void main(String args[]) throws Exception { public static void main(String args[]) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
try { try {
validate(trustAnchor_SHA1withRSA_1024); validate(trustAnchor_SHA1withRSA_1024);
validate(trustAnchor_SHA1withRSA_512); validate(trustAnchor_SHA1withRSA_512);
......
...@@ -21,14 +21,14 @@ ...@@ -21,14 +21,14 @@
* questions. * questions.
*/ */
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/* /*
* @test * @test
* @bug 6690018 * @bug 6690018
* @summary RSAClientKeyExchange NullPointerException * @summary RSAClientKeyExchange NullPointerException
* @run main/othervm RSAExport * @run main/othervm RSAExport
*
* SunJSSE does not support dynamic system properties, no way to re-use
* system properties in samevm/agentvm mode.
*/ */
/* /*
...@@ -199,6 +199,7 @@ ...@@ -199,6 +199,7 @@
import java.io.*; import java.io.*;
import java.net.*; import java.net.*;
import java.security.Security;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyFactory; import java.security.KeyFactory;
import java.security.cert.Certificate; import java.security.cert.Certificate;
...@@ -415,6 +416,10 @@ public class RSAExport { ...@@ -415,6 +416,10 @@ public class RSAExport {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
if (debug) if (debug)
System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.debug", "all");
......
/*
* Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
/*
* @test
* @bug 7109274
* @summary Consider disabling support for X.509 certificates with RSA keys
* less than 1024 bits
*
* @run main/othervm DisabledShortRSAKeys PKIX TLSv1.2
* @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.2
* @run main/othervm DisabledShortRSAKeys PKIX TLSv1.1
* @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.1
* @run main/othervm DisabledShortRSAKeys PKIX TLSv1
* @run main/othervm DisabledShortRSAKeys SunX509 TLSv1
* @run main/othervm DisabledShortRSAKeys PKIX SSLv3
* @run main/othervm DisabledShortRSAKeys SunX509 SSLv3
*/
import java.net.*;
import java.util.*;
import java.io.*;
import javax.net.ssl.*;
import java.security.Security;
import java.security.KeyStore;
import java.security.KeyFactory;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.spec.*;
import java.security.interfaces.*;
import sun.misc.BASE64Decoder;
public class DisabledShortRSAKeys {
/*
* =============================================================
* Set the various variables needed for the tests, then
* specify what tests to run on each side.
*/
/*
* Should we run the client or server in a separate thread?
* Both sides can throw exceptions, but do you have a preference
* as to which side should be the main thread.
*/
static boolean separateServerThread = true;
/*
* Where do we find the keystores?
*/
// Certificates and key used in the test.
static String trustedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" +
"MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" +
"MTEwODE5MDE1MjE5WhcNMzIwNzI5MDE1MjE5WjA7MQswCQYDVQQGEwJVUzENMAsG\n" +
"A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" +
"KoZIhvcNAQEBBQADgY0AMIGJAoGBAM8orG08DtF98TMSscjGsidd1ZoN4jiDpi8U\n" +
"ICz+9dMm1qM1d7O2T+KH3/mxyox7Rc2ZVSCaUD0a3CkhPMnlAx8V4u0H+E9sqso6\n" +
"iDW3JpOyzMExvZiRgRG/3nvp55RMIUV4vEHOZ1QbhuqG4ebN0Vz2DkRft7+flthf\n" +
"vDld6f5JAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLl81dnfp0wDrv0OJ1sxlWzH83Xh\n" +
"MGMGA1UdIwRcMFqAFLl81dnfp0wDrv0OJ1sxlWzH83XhoT+kPTA7MQswCQYDVQQG\n" +
"EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" +
"Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEE\n" +
"BQADgYEALlgaH1gWtoBZ84EW8Hu6YtGLQ/L9zIFmHonUPZwn3Pr//icR9Sqhc3/l\n" +
"pVTxOINuFHLRz4BBtEylzRIOPzK3tg8XwuLb1zd0db90x3KBCiAL6E6cklGEPwLe\n" +
"XYMHDn9eDsaq861Tzn6ZwzMgw04zotPMoZN0mVd/3Qca8UJFucE=\n" +
"-----END CERTIFICATE-----";
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNDCCAZ2gAwIBAgIBDDANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" +
"MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" +
"MTExMTA3MTM1NTUyWhcNMzEwNzI1MTM1NTUyWjBPMQswCQYDVQQGEwJVUzENMAsG\n" +
"A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n" +
"BAMTCWxvY2FsaG9zdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3Pb49OSPfOD2G\n" +
"HSXFCFx1GJEZfqG9ZUf7xuIi/ra5dLjPGAaoY5QF2QOa8VnOriQCXDfyXHxsuRnE\n" +
"OomxL7EVAgMBAAGjeDB2MAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUXNCJK3/dtCIc\n" +
"xb+zlA/JINlvs/MwHwYDVR0jBBgwFoAUuXzV2d+nTAOu/Q4nWzGVbMfzdeEwJwYD\n" +
"VR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzANBgkqhkiG9w0B\n" +
"AQQFAAOBgQB2qIDUxA2caMPpGtUACZAPRUtrGssCINIfItETXJZCx/cRuZ5sP4D9\n" +
"N1acoNDn0hCULe3lhXAeTC9NZ97680yJzregQMV5wATjo1FGsKY30Ma+sc/nfzQW\n" +
"+h/7RhYtoG0OTsiaDCvyhI6swkNJzSzrAccPY4+ZgU8HiDLzZTmM3Q==\n" +
"-----END CERTIFICATE-----";
// Private key in the format of PKCS#8, key size is 512 bits.
static String targetPrivateKey =
"MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAtz2+PTkj3zg9hh0l\n" +
"xQhcdRiRGX6hvWVH+8biIv62uXS4zxgGqGOUBdkDmvFZzq4kAlw38lx8bLkZxDqJ\n" +
"sS+xFQIDAQABAkByx/5Oo2hQ/w2q4L8z+NTRlJ3vdl8iIDtC/4XPnfYfnGptnpG6\n" +
"ZThQRvbMZiai0xHQPQMszvAHjZVme1eDl3EBAiEA3aKJHynPVCEJhpfCLWuMwX5J\n" +
"1LntwJO7NTOyU5m8rPECIQDTpzn5X44r2rzWBDna/Sx7HW9IWCxNgUD2Eyi2nA7W\n" +
"ZQIgJerEorw4aCAuzQPxiGu57PB6GRamAihEAtoRTBQlH0ECIQDN08FgTtnesgCU\n" +
"DFYLLcw1CiHvc7fZw4neBDHCrC8NtQIgA8TOUkGnpCZlQ0KaI8KfKWI+vxFcgFnH\n" +
"3fnqsTgaUs4=";
static char passphrase[] = "passphrase".toCharArray();
/*
* Is the server ready to serve?
*/
volatile static boolean serverReady = false;
/*
* Turn on SSL debugging?
*/
static boolean debug = false;
/*
* Define the server side of the test.
*
* If the server prematurely exits, serverReady will be set to true
* to avoid infinite hangs.
*/
void doServerSide() throws Exception {
SSLContext context = generateSSLContext(null, targetCertStr,
targetPrivateKey);
SSLServerSocketFactory sslssf = context.getServerSocketFactory();
SSLServerSocket sslServerSocket =
(SSLServerSocket)sslssf.createServerSocket(serverPort);
serverPort = sslServerSocket.getLocalPort();
/*
* Signal Client, we're ready for his connect.
*/
serverReady = true;
try (SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept()) {
InputStream sslIS = sslSocket.getInputStream();
OutputStream sslOS = sslSocket.getOutputStream();
sslIS.read();
sslOS.write('A');
sslOS.flush();
throw new Exception(
"RSA keys shorter than 1024 bits should be disabled");
} catch (SSLHandshakeException sslhe) {
// the expected exception, ignore
}
}
/*
* Define the client side of the test.
*
* If the server prematurely exits, serverReady will be set to true
* to avoid infinite hangs.
*/
void doClientSide() throws Exception {
/*
* Wait for server to get started.
*/
while (!serverReady) {
Thread.sleep(50);
}
SSLContext context = generateSSLContext(trustedCertStr, null, null);
SSLSocketFactory sslsf = context.getSocketFactory();
try (SSLSocket sslSocket =
(SSLSocket)sslsf.createSocket("localhost", serverPort)) {
// only enable the target protocol
sslSocket.setEnabledProtocols(new String[] {enabledProtocol});
// enable a block cipher
sslSocket.setEnabledCipherSuites(
new String[] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"});
InputStream sslIS = sslSocket.getInputStream();
OutputStream sslOS = sslSocket.getOutputStream();
sslOS.write('B');
sslOS.flush();
sslIS.read();
throw new Exception(
"RSA keys shorter than 1024 bits should be disabled");
} catch (SSLHandshakeException sslhe) {
// the expected exception, ignore
}
}
/*
* =============================================================
* The remainder is just support stuff
*/
private static String tmAlgorithm; // trust manager
private static String enabledProtocol; // the target protocol
private static void parseArguments(String[] args) {
tmAlgorithm = args[0];
enabledProtocol = args[1];
}
private static SSLContext generateSSLContext(String trustedCertStr,
String keyCertStr, String keySpecStr) throws Exception {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// create a key store
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, null);
// import the trused cert
Certificate trusedCert = null;
ByteArrayInputStream is = null;
if (trustedCertStr != null) {
is = new ByteArrayInputStream(trustedCertStr.getBytes());
trusedCert = cf.generateCertificate(is);
is.close();
ks.setCertificateEntry("RSA Export Signer", trusedCert);
}
if (keyCertStr != null) {
// generate the private key.
PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
new BASE64Decoder().decodeBuffer(keySpecStr));
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPrivateKey priKey =
(RSAPrivateKey)kf.generatePrivate(priKeySpec);
// generate certificate chain
is = new ByteArrayInputStream(keyCertStr.getBytes());
Certificate keyCert = cf.generateCertificate(is);
is.close();
Certificate[] chain = null;
if (trusedCert != null) {
chain = new Certificate[2];
chain[0] = keyCert;
chain[1] = trusedCert;
} else {
chain = new Certificate[1];
chain[0] = keyCert;
}
// import the key entry.
ks.setKeyEntry("Whatever", priKey, passphrase, chain);
}
// create SSL context
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
tmf.init(ks);
SSLContext ctx = SSLContext.getInstance("TLS");
if (keyCertStr != null && !keyCertStr.isEmpty()) {
KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
ks = null;
} else {
ctx.init(null, tmf.getTrustManagers(), null);
}
return ctx;
}
// use any free port by default
volatile int serverPort = 0;
volatile Exception serverException = null;
volatile Exception clientException = null;
public static void main(String[] args) throws Exception {
if (debug)
System.setProperty("javax.net.debug", "all");
/*
* Get the customized arguments.
*/
parseArguments(args);
/*
* Start the tests.
*/
new DisabledShortRSAKeys();
}
Thread clientThread = null;
Thread serverThread = null;
/*
* Primary constructor, used to drive remainder of the test.
*
* Fork off the other side, then do your work.
*/
DisabledShortRSAKeys() throws Exception {
try {
if (separateServerThread) {
startServer(true);
startClient(false);
} else {
startClient(true);
startServer(false);
}
} catch (Exception e) {
// swallow for now. Show later
}
/*
* Wait for other side to close down.
*/
if (separateServerThread) {
serverThread.join();
} else {
clientThread.join();
}
/*
* When we get here, the test is pretty much over.
* Which side threw the error?
*/
Exception local;
Exception remote;
String whichRemote;
if (separateServerThread) {
remote = serverException;
local = clientException;
whichRemote = "server";
} else {
remote = clientException;
local = serverException;
whichRemote = "client";
}
/*
* If both failed, return the curthread's exception, but also
* print the remote side Exception
*/
if ((local != null) && (remote != null)) {
System.out.println(whichRemote + " also threw:");
remote.printStackTrace();
System.out.println();
throw local;
}
if (remote != null) {
throw remote;
}
if (local != null) {
throw local;
}
}
void startServer(boolean newThread) throws Exception {
if (newThread) {
serverThread = new Thread() {
public void run() {
try {
doServerSide();
} catch (Exception e) {
/*
* Our server thread just died.
*
* Release the client, if not active already...
*/
System.err.println("Server died...");
serverReady = true;
serverException = e;
}
}
};
serverThread.start();
} else {
try {
doServerSide();
} catch (Exception e) {
serverException = e;
} finally {
serverReady = true;
}
}
}
void startClient(boolean newThread) throws Exception {
if (newThread) {
clientThread = new Thread() {
public void run() {
try {
doClientSide();
} catch (Exception e) {
/*
* Our client thread just died.
*/
System.err.println("Client died...");
clientException = e;
}
}
};
clientThread.start();
} else {
try {
doClientSide();
} catch (Exception e) {
clientException = e;
}
}
}
}
...@@ -23,6 +23,9 @@ ...@@ -23,6 +23,9 @@
* questions. * questions.
*/ */
// This test case relies on updated static security property, no way to re-use
// security property in samevm/agentvm mode.
/* /*
* @test * @test
* @bug 7106773 * @bug 7106773
...@@ -38,6 +41,7 @@ import java.net.*; ...@@ -38,6 +41,7 @@ import java.net.*;
import java.util.*; import java.util.*;
import java.io.*; import java.io.*;
import javax.net.ssl.*; import javax.net.ssl.*;
import java.security.Security;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyFactory; import java.security.KeyFactory;
import java.security.cert.Certificate; import java.security.cert.Certificate;
...@@ -275,6 +279,10 @@ public class ShortRSAKey512 { ...@@ -275,6 +279,10 @@ public class ShortRSAKey512 {
volatile Exception clientException = null; volatile Exception clientException = null;
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
if (debug) if (debug)
System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.debug", "all");
......
...@@ -44,10 +44,10 @@ case "$OS" in ...@@ -44,10 +44,10 @@ case "$OS" in
;; ;;
esac esac
# Choose 512-bit RSA to make sure it runs fine and fast on all platforms. In fact, # Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In
# every keyalg/keysize combination is OK for this test. # fact, every keyalg/keysize combination is OK for this test.
KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 512" KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 1024"
JAR=$TESTJAVA${FS}bin${FS}jar JAR=$TESTJAVA${FS}bin${FS}jar
JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
JAVAC=$TESTJAVA${FS}bin${FS}javac JAVAC=$TESTJAVA${FS}bin${FS}javac
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册